Transcript Slide 1
Designing Internal Control
Systems for Small- and
Medium-Sized Entities
Presented by Larry L. Perry, CPA
CPA Firm Support Services, LLC
7/20/2015
www.cpafirmsupport.com
1
Learning Objectives
Review the fundamental concepts and the
components of internal control
Understand how to design and operate
effective accounting and internal control
systems for smaller entities
Consider flowcharts for documenting financial
reporting and internal control systems
7/20/2015
www.cpafirmsupport.com
2
The Foundation of Internal
Control--COSO
Internal control is a process. It is a means to an
end, not an end in itself.
Internal control is not merely documented by policy
manuals and forms. Rather, it is put in by people at
every level of an organization.
Internal control can provide only reasonable
assurance, not absolute assurance, to an entity’s
management and board.
Internal control is geared to the achievement of
objectives in one or more separate but overlapping
categories.
7/20/2015
www.cpafirmsupport.com
3
In the Beginning--COSO
Committee of Sponsoring Organizations of the
Treadway Commission—1985
Formed to study and report on factors that lead
to fraudulent financial reporting
Published Internal Control—Integrated
Framework—1992
Published Internal Control over Financial
Reporting—Guidance for Smaller Public
Companies—2006
Published updated Internal Control—Integrated
Framework--2013
7/20/2015
www.cpafirmsupport.com
4
The COSO Framework—Still
Standing
Components
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Principles added in 2013
7/20/2015
www.cpafirmsupport.com
5
The Tone at the Top and the Bottom
Control environment
Sets the tone of the organization
The foundation of all other components
Includes the integrity, ethical values and
competence of personnel
Management is the primary influence:
Operating philosophies and style
Ways of assigning responsibility and authority
Ways of developing and organizing employees
Board of directors governance activities
Employees do as management
does, not as they say!!!
7/20/2015
www.cpafirmsupport.com
6
The Entity’s Risk Assessment
Process
Risk comes from internal and external sources
Risk is based on operational and financial
objectives
The identification and analysis of risks that affect
the accomplishment of objectives should result
corrective action
Risk assessment becomes the basis for deciding
how the various risks should be controlled
7/20/2015
www.cpafirmsupport.com
7
Polling Question No. 1
If an entity has an effective control
environment, none of the other components
of internal control are necessary.
7/20/2015
A. True
B. False
www.cpafirmsupport.com
8
Control Activities May Be Formal or
Informal
Control Activities
Ensure application of management’s policies
and procedures
Ensure risks are detected on a timely basis and
managed
Provide asset security and internal checks for an
accounting system
Occur in all accounting functions, at the entity
level (key controls) and at the activity level
7/20/2015
www.cpafirmsupport.com
9
Key Controls
Key controls are considered primary to
accomplishing an internal control objective
Management may focus on key controls to
evaluate design and operating effectiveness
Owners and managers provide key controls
for small entities
7/20/2015
www.cpafirmsupport.com
10
How Key Controls Work
Considering the nature, size and complexity of an entity
and its key controls
Control environment—the tone at the top
Entity’s risk assessment process
Management considers financial reporting objectives,
financial reporting risks, fraud risks, etc. and designs
and/or operates preventive controls and anti-fraud
programs
Entity’s internal control communication process
Internal and external communications by management
provide information that prevents misstatements
occurring and going undetected
Entity’s internal control monitoring process
7/20/2015
Management’s involvement in operations day-to-day,
through budget utilization, by using analytical procedures
or by simple “walk-around” controls provides assurance
controls are working
www.cpafirmsupport.com
11
Activity-Level Controls
The financial reporting system
Internal check functions performed by
management and others
General and applications controls over
information processing
Controls for safeguarding assets
Performance measurements
Separation of duties
7/20/2015
www.cpafirmsupport.com
12
Information Systems—the Keys for
Success
Information and communication
The identification, capture and communication of
timely information
Operational and financial reports necessary for
production and management (internal and
external)
Communication of the importance of internal
control responsibilities
Lines of communication for feedback to
management
7/20/2015
www.cpafirmsupport.com
13
The Internal Check-Up
Monitoring
On-going procedures during operations
Employees
Management
Separate evaluations
7/20/2015
Related to assessment of specific risks
Internal audit of compliance in larger entities
www.cpafirmsupport.com
14
Polling Question No. 2
A good system of internal control for a small
entity contains which of these features?
7/20/2015
A. An owner or manager with high integrity
B. Auditors that perform monthly risk assessment
procedures
C. Accounting software with developmental
modules
D. An internal audit department
E. None of the above
www.cpafirmsupport.com
15
Using a Small Audits Internal Control
Questionnaire
Key controls drive management’s risk
assessment process
The SAICQ should focus on assessing risks for
assertions at the financial statement
classification level
Only relevant assertions should be considered
The absence of key controls or key controls
operating improperly can be potential risks of
misstatement
7/20/2015
www.cpafirmsupport.com
16
Flowchart Preparation
To facilitate the risk assessment process, flowcharts should be
designed to capture the risks resulting from the information
flows of each transaction cycle
A flowcharting guide or other reference materials should be
used to make sure all data, documents and accounting system
procedures are included and sufficient “what could go wrong”
questions are asked
Flowcharting techniques should include standard organization
that demonstrates the transactions’ flow from beginning to end
A SAICQ or other reference material should be used to identify
key and activity-level controls on the flowchart
Flowcharts may be prepared using the draw symbols in Word or
Excel, with flowcharting software programs or the old-fashioned
way with template, pencil and paper
7/20/2015
www.cpafirmsupport.com
17
Polling Question No. 3
Reasons for using flowcharts to document
accounting and internal control systems include
which of the following?
A. A logical transaction flow facilitates analysis
B. It makes the CFO look really good
C. It is an easy way for the CFO to hide things
D. None of the above
7/20/2015
www.cpafirmsupport.com
18
Designing Cost-Effective Internal Control
Systems for Smaller Entities--COSO
Oversight by owner or
6. Achieving further
manager
efficiencies
2. Effective board of
a. Use a risk-based
directors
approach
3. Overcoming lack of
b. Create relevant
segregation of duties
documentation of IC
4. Limiting risks associated
policies and
with the IT system
procedures
5. Monitoring control
c. Document evidence of
activities
performing IC
a. Establish foundations
procedures
b. Focus monitoring
procedures on key
controls
c. Assessing and
reporting results www.cpafirmsupport.com
19
7/20/2015
1.
Conclusion
Internal control and fraud prevention are the responsibilities
of management.
Internal control systems are always relevant to the nature,
size and complexity of an entity.
Key controls designed and operated by owners or managers
of small entities are the primary methods of preventing and
detecting errors and fraud.
Internal control procedures should provide reasonable
assurance that errors or fraud will not occur and go
undetected.
The benefits of internal control procedures should outweigh
their costs.
The design process includes understanding accounting
systems and existing internal controls, identifying what could
go wrong and designing cost-beneficial control activities and
anti-fraud programs that are likely to prevent and detect errors
and fraud.
7/20/2015
www.cpafirmsupport.com
20
Polling Question No. 4
The best way to design an internal control
system for small entities is to use all the
procedures on an ICQ for a large entity
A. True
B. False
7/20/2015
www.cpafirmsupport.com
21
The End
What to do if you want more
Email Larry Perry: [email protected] with
questions
Visit www.cpafirmsupport.com for webcast resources
Register for free email newsletter on CPA Firm Support
website
Read Larry Perry’s blog and articles, Today’s World of
Audits, at www.accountingweb.com under the Bloggers
Crew tab and A&A articles for small audit and other
subjects
Watch for Larry Perry’s Performing Small Audits, Reviews
and Compilations for Entities using Special Purposte
Frameworks (including the AICPA’s FRF for SMEs) from
Wiley & Sons in 2015
7/20/2015
www.cpafirmsupport.com
22